Trusted internet identity

ABSTRACT

A token or other storage device uses Internet identities to set file access attribute rights. Subsequently, requests to access a file can be controlled by confirming the Internet identity of the requestor by either validating the request with a known public key or retrieving the public key from an Internet identity provider. Files may be stored encrypted and may be re-encrypted with the public key associated with Internet identity making the request.

BACKGROUND

Access control has been used for decades to create a list of users thatcan access a file or service, and to what extent a user can interactwith that file or service. Some users may be granted read-only access toa file, while others have read and edit rights. Still other users mayhave the ability to read, edit, and delete a file.

Access control lists are maintained by an operating system. In somecases, transferring a file from one computer to another may transfer theaccess control list associated with a file, but if the receivingcomputer does not have corresponding accounts, or does not enforceaccess control, the file may either be permanently locked andinaccessible, or unlocked and fully available to any account holder.

When a file is transferred to another type of computer system, forexample, from a PC to a UNIX machine, the access control list may bemeaningless.

The widespread use of portable media, from early one megabyte floppydisks to multiple gigabyte USB drives, has exacerbated this problem.Entire data sets may be moved quickly and easily, but the controlsassociated with access to those data sets can become both troublesomeand irritating on one hand, and ineffective on the other.

SUMMARY

A portable storage device enforces access control, not based on theoperating system and local accounts of a host computer, but rather usesInternet-based identities for uniform enforcement of access privileges.The processor-type and operating system of a host computer does notaffect access control because the portable storage device, or storagetoken, depends on a trusted service to provide identity confirmation.

When a requesting entity seeks access to protected data, the request mayincorporate a trusted identity, such as an authenticated cookie, that isevaluated locally at the storage token for use in determining whetheraccess should be granted.

The trusted identity may be established when the requesting entity logsin to a trusted site, provides its credentials and is then provided witha time-limited voucher, such as the authenticated cookie. Theauthenticated cookie can then be used during its duration for access.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a computer and associated elementsillustrating a platform supporting trusted Internet identities;

FIG. 2 is a block diagram of a storage token supporting trusted Internetidentities;

FIG. 3 is a topology of a system supporting trusted Internet identities;and

FIG. 4 is a method of performing file access control using a trustedInternet identity.

DETAILED DESCRIPTION

Although the following text sets forth a detailed description ofnumerous different embodiments, it should be understood that the legalscope of the description is defined by the words of the claims set forthat the end of this disclosure. The detailed description is to beconstrued as exemplary only and does not describe every possibleembodiment since describing every possible embodiment would beimpractical, if not impossible. Numerous alternative embodiments couldbe implemented, using either current technology or technology developedafter the filing date of this patent, which would still fall within thescope of the claims.

It should also be understood that, unless a term is expressly defined inthis patent using the sentence “As used herein, the term ‘______’ ishereby defined to mean . . . ” or a similar sentence, there is no intentto limit the meaning of that term, either expressly or by implication,beyond its plain or ordinary meaning, and such term should not beinterpreted to be limited in scope based on any statement made in anysection of this patent (other than the language of the claims). To theextent that any term recited in the claims at the end of this patent isreferred to in this patent in a manner consistent with a single meaning,that is done for sake of clarity only so as to not confuse the reader,and it is not intended that such claim term by limited, by implicationor otherwise, to that single meaning. Finally, unless a claim element isdefined by reciting the word “means” and a function without the recitalof any structure, it is not intended that the scope of any claim elementbe interpreted based on the application of 35 U.S.C. §112, sixthparagraph.

Much of the inventive functionality and many of the inventive principlesare best implemented with or in software programs or instructions andintegrated circuits (ICs) such as application specific ICs. It isexpected that one of ordinary skill, notwithstanding possiblysignificant effort and many design choices motivated by, for example,available time, current technology, and economic considerations, whenguided by the concepts and principles disclosed herein will be readilycapable of generating such software instructions and programs and ICswith minimal experimentation. Therefore, in the interest of brevity andminimization of any risk of obscuring the principles and concepts inaccordance to the present invention, further discussion of such softwareand ICs, if any, will be limited to the essentials with respect to theprinciples and concepts of the preferred embodiments.

With reference to FIG. 1, an exemplary system for implementing theclaimed method and apparatus includes a general purpose computing devicein the form of a computer 110. Components shown in dashed outline arenot technically part of the computer 110, but are used to illustrate theexemplary embodiment of FIG. 1. Components of computer 110 may include,but are not limited to, a processor 120, a system memory 130, amemory/graphics interface 121, also known as a Northbridge chip, and anI/O interface 122, also known as a Southbridge chip. The system memory130 and a graphics processor 190 may be coupled to the memory/graphicsinterface 121. A monitor 191 or other graphic output device may becoupled to the graphics processor 190.

A series of system busses may couple various system components includinga high speed system bus 123 between the processor 120, thememory/graphics interface 121 and the I/O interface 122, a front-sidebus 124 between the memory/graphics interface 121 and the system memory130, and an advanced graphics processing (AGP) bus 125 between thememory/graphics interface 121 and the graphics processor 190. The systembus 123 may be any of several types of bus structures including, by wayof example, and not limitation, such architectures include IndustryStandard Architecture (ISA) bus, Micro Channel Architecture (MCA) busand Enhanced ISA (EISA) bus. As system architectures evolve, other busarchitectures and chip sets may be used but often generally follow thispattern. For example, companies such as Intel and AMD support the IntelHub Architecture (IHA) and the Hypertransport™ architecture,respectively.

The computer 110 typically includes a variety of computer readablemedia. Computer readable media can be any available media that can beaccessed by computer 110 and includes both volatile and nonvolatilemedia, removable and non-removable media. By way of example, and notlimitation, computer readable media may comprise computer storage mediaand communication media. Computer storage media includes both volatileand nonvolatile, removable and non-removable media implemented in anymethod or technology for storage of information such as computerreadable instructions, data structures, program modules or other data.Computer storage media includes, but is not limited to, RAM, ROM,EEPROM, flash memory or other memory technology, CD-ROM, digitalversatile disks (DVD) or other optical disk storage, magnetic cassettes,magnetic tape, magnetic disk storage or other magnetic storage devices,or any other medium which can be used to store the desired informationand which can accessed by computer 110. Communication media typicallyembodies computer readable instructions, data structures, programmodules or other data. Combinations of the any of the above should alsobe included within the scope of computer readable media.

The system memory 130 includes computer storage media in the form ofvolatile and/or nonvolatile memory such as read only memory (ROM) 131and random access memory (RAM) 132. The system ROM 131 may containpermanent system data 143, such as identifying and manufacturinginformation. In some embodiments, a basic input/output system (BIOS) mayalso be stored in system ROM 131. RAM 132 typically contains data and/orprogram modules that are immediately accessible to and/or presentlybeing operated on by processor 120. By way of example, and notlimitation, FIG. 1 illustrates operating system 134, applicationprograms 135, other program modules 136, and program data 137.

The I/O interface 122 may couple the system bus 123 with a number ofother busses 126, 127 and 128 that couple a variety of internal andexternal devices to the computer 110. A serial peripheral interface(SPI) bus 126 may connect to a basic input/output system (BIOS) memory133 containing the basic routines that help to transfer informationbetween elements within computer 110, such as during start-up.

A super input/output chip 160 may be used to connect to a number of‘legacy’ peripherals, such as floppy disk 152, keyboard/mouse 162, andprinter 196, as examples. The super I/O chip 160 may be connected to theI/O interface 122 with a low pin count (LPC) bus, in some embodiments.Various embodiments of the super I/O chip 160 are widely available inthe commercial marketplace.

In one embodiment, bus 128 may be a Peripheral Component Interconnect(PCI) bus, or a variation thereof, may be used to connect higher speedperipherals to the I/O interface 122. A PCI bus may also be known as aMezzanine bus. Variations of the PCI bus include the PeripheralComponent Interconnect-Express (PCI-E) and the Peripheral ComponentInterconnect—Extended (PCI-X) busses, the former having a serialinterface and the latter being a backward compatible parallel interface.In other embodiments, bus 128 may be an advanced technology attachment(ATA) bus, in the form of a serial ATA bus (SATA) or parallel ATA(PATA).

The computer 110 may also include other removable/non-removable,volatile/nonvolatile computer storage media. By way of example only,FIG. 1 illustrates a hard disk drive 140 that reads from or writes tonon-removable, nonvolatile magnetic media. Removable media, such as auniversal serial bus (USB) memory 153 or CD/DVD drive 156 may beconnected to the PCI bus 128 directly or through an interface 150. Otherremovable/non-removable, volatile/nonvolatile computer storage mediathat can be used in the exemplary operating environment include, but arenot limited to, magnetic tape cassettes, flash memory cards, digitalversatile disks, digital video tape, solid state RAM, solid state ROM,and the like.

The drives and their associated computer storage media discussed aboveand illustrated in FIG. 1, provide storage of computer readableinstructions, data structures, program modules and other data for thecomputer 110. In FIG. 1, for example, hard disk drive 140 is illustratedas storing operating system 144, application programs 145, other programmodules 146, and program data 147. Note that these components can eitherbe the same as or different from operating system 134, applicationprograms 135, other program modules 136, and program data 137. Operatingsystem 144, application programs 145, other program modules 146, andprogram data 147 are given different numbers here to illustrate that, ata minimum, they are different copies. A user may enter commands andinformation into the computer 20 through input devices such as amouse/keyboard 162 or other input device combination. Other inputdevices (not shown) may include a microphone, joystick, game pad,satellite dish, scanner, or the like. These and other input devices areoften connected to the processor 120 through one of the I/O interfacebusses, such as the SPI 126, the LPC 127, or the PCI 128, but otherbusses may be used. In some embodiments, other devices may be coupled toparallel ports, infrared interfaces, game ports, and the like (notdepicted), via the super I/O chip 160.

The computer 110 may operate in a networked environment using logicalconnections to one or more remote computers, such as a remote computer180 via a network interface controller (NIC) 170. The remote computer180 may be a personal computer, a server, a router, a network PC, a peerdevice or other common network node, and typically includes many or allof the elements described above relative to the computer 110. Thelogical connection between the NIC 170 and the remote computer 180depicted in FIG. 1 may include a local area network (LAN), a wide areanetwork (WAN), or both, but may also include other networks. Suchnetworking environments are commonplace in offices, enterprise-widecomputer networks, intranets, and the Internet. The remote computer 180may also represent a web server supporting interactive sessions with thecomputer 110.

In some embodiments, the network interface may use a modem (notdepicted) when a broadband connection is not available or is not used.It will be appreciated that the network connection shown is exemplaryand other means of establishing a communications link between thecomputers may be used.

A storage token 154 may be removably attached to the computer 110. Thestorage token 154 may be a smart card or other device capable ofcryptographic one-way or mutual authentication between itself and one ormore processes on the computer 110 or remote computer 180. A token API148 may be available for application programs 145 or for a remotecomputer 180 connected via network 170 to access the storage token 154.The storage token may have a user interface (not depicted) for displayof information and input of data. The use of the storage token 154 isdiscussed in more detail below.

Note that an Internet identity may not be restricted to Internetaccessible providers. For example, a corporation could use Internetidentities in the sense of this description, even though a companyIntranet or local area network server could host the identity managementfunction.

FIG. 2 is a block diagram illustrating a token 200 used to supporttrusted Internet identities. The token 200 may include a processor 202,a general memory 206, a cryptographic processor 208, and a first bus 209connecting these components. A secure memory 204 may be accessed via thecryptographic processor 208 and may include storage locations for keys214 and program code 216. The program code may include modules forstorage management 218, communication 220, request management 222, anduser interface 224. The cryptographic processor 208 may be used toaccelerate cryptographic processes such as encryption and signing.

The general memory 206 may include memory locations generally availableto users and may be used to store a plurality of files, such as file x226, and file y 228. These files may be data, programs, media, etc. Thegeneral memory 206 may also include publicly available, non-secureoperations-oriented data, such as public keys 230.

A bus interface 210 may connect to a second bus 212. The second bus 212may allow removable coupling to a host, such as a computer 110, shown inFIG. 1. While the host may be a computer, the host may also be acellular telephone, smart phone, personal digital assistant, mediaplayer, a networked terminal device, a server, etc. The second bus 212may be a USB interface, a 1394/firewire interface, or any of severalother existing or emerging data connections. In some embodiments, thetoken 200 may be removably attached to a host. However, in otherembodiments, the token 200 may be embedded in a device, such as aportable device. In still other embodiments, the token 200 may besecured in a device, such as a computer or server, so that attemptedremoval may cause damage to the token 200, the host device, or both.

In operation, after coupling to a host, the processor 202 may access theuser interface module 224 to present a user with options for storing andsecuring data, such as file x 226 or file y 228. To add protection to anexisting file, a user may select an Internet identity from an addressbook containing identities. The address book may be associated with amail program, an instant messaging program, etc. The Internet identityof the user may be in the form of an alias, such as a screen name, amail address, or another name. Once a user has been identified, the filemay be marked with metadata for access control. For example, file x 226may be designated to allow read access to user A and user C. File y 228may be designated to allow read access to user A and user B. Unlikeconventional access control, the identification of users A, B, and C maynot be tied to an operating system or local network login identity. Theuser identity may be associated with the user's Internet identity, asassigned by a third party over which local account managers/networkmanagers have no control.

When access to a file is requested, the access rights may be checked andthe request's validity may be verified using a known public key or byanalyzing an associated request packet. The request packet may includean Internet identity in the form of a self-signed certificate or atime-limited cookie containing the Internet identity, a public key forthe Internet identity, and information identifying the requested file.The identifying information may be or include a file name, file id (suchas a hash of some or all of the contents), metadata (e.g. author, datesaved, title), etc.

If the Internet identity is verified, and that identity is designed ashaving rights to the requested file, the access may be granted. Accessmay include the ability to read the file, write/update the file, ordelete the file. Additional rights may allow the request to change theaccess rights to the file. In other words, the token 200 may enforcecontrols using Internet identities similar in content and scope to thoseused to control a conventional, local file system, for example, in aUNIX environment.

FIG. 3 illustrates a topology 300 and sample data flows corresponding tothe use of Internet identities for access control. A network 302connects various elements of the topology 300. The network 302 may bethe Internet. The network 302 may also be an enterprise network, acorporate intranet, etc. The network may support data communication withan Internet identity provider 304. The term Internet is used heregenerically and for ease of illustration. The Internet identity provider304 may, in practice, not have connectivity to the world-wide networkknown collectively as the Internet. The network may support a user A 306and a user B 308. The users 306, 308 may be computers, smart phones,handheld appliances, etc.

A host computer 310 may also be coupled to the network 302 and beaccessible to the identity provider 304 and users 306, 308. A token 312,similar to the token 200 of FIG. 2, may have files x 314 and y 316. Thefile x 314 may have access rights designated to user A 306 and user C(not depicted). The file y 316 may have access rights designated to userA 306 and user B 308.

User A 306 may send a request 318 to the token 312 requesting access tofile x 314. The token 312 may send a confirmation request 320 to theInternet identity provider 304. The Internet identity provider 304 mayprepare a confirmation of identity using criteria provided in theoriginal request 318. For example, a global cookie sent in the originalrequest 318 may include encrypted authentication information that isforwarded to the Internet identity provider 304.

The Internet identity provider 304 may verify the encryptedauthentication information and send a reply 322 to the token 312. Thereply 322 may include a local cookie with an expiration date and asigned confirmation of identity. If the signed confirmation is verifiedby the token and the identity matches that of the requestor (i.e. user A306), instructions 324 may be executed that make file x 314 available326 to the requestor.

To improve security, several measures may be taken. For example, filesmay be encrypted with a local key while stored. Therefore, the makingthe file available to the requestor may involve decrypting the filelocally before making the file available. In other embodiments, insteadof or in addition to local encryption, files may be encrypted with therequestor's public key when being made available. In this way, only therequestor can decrypt the file using its corresponding private key.

Illustrating an alternate flow, user B 308 issues a request 328 to theInternet identity provider 304. The request 328 may include a loginidentification and password sequence so the Internet identity provider304 can verify the identity of user B 308. Using file identificationinformation in the request 328, the Internet identity provider 304 maydirectly send a request 330 to the token 312. The request 330 may besent via an instant message network, text messaging service, email,etc., and may also include verification data along with fileidentification information.

After the token 312 confirms the verification data and also confirmsthat the requesting party has rights to the requested file, instructions332 may be issued to make the file available 334 to user B 308.

FIG. 4 is a method 400 of securing data using an Internet identity. Atblock 402, a management utility, such as user interface 224 of FIG. 2,may be installed and executed on a host computer, such as computer 110of FIG. 1. The management utility 224 may support assignment of fileaccess rights to a file, such as file x 314. The file 314 may includesimple data, but may also be an executable program, media, securityinformation, etc. In one embodiment, the management utility 224 mayreside on a file system (for example, secure memory 204) that alsocontains the file 314 receiving the rights assignments, even though themanagement utility 224 may be executed on the host computer 110.

At block 404, file access rights may be assigned to the file 314 for anInternet identity, for example, Internet entity user A 306. Theprivileges associated with making the access rights assignment mayinvolve first establishing those privileges by asserting a secondInternet identity, e.g. user B 308. Both the first and second Internetidentities 306 308 may be identities that are independent of anoperating system identity associated with the host computer 110. Thatis, status or existence of a local account on the host computer 110 maynot be considered when determining whether to allow assignment of accessrights to the file 314. Optionally, the file 314 may be encrypted with alocal key while stored.

At block 406, a request to access the file 314 may be received. Therequest may include an Internet identity of a requestor (e.g. user A306) and file identification information. Alternatively, the request mayinclude a cookie or other authenticated packet including the Internetidentity, a public key, and a cookie expiration date.

At block 408, after receiving the request, a token 200, or other requestprocessor, may access an Internet identity provider 304 over a networkconnection 302. The Internet identity provider 304 may allow retrievalof a public key associated with the Internet identity of the requestor.

At block 410, the token 200 may confirm the Internet identity using thepublic key to authenticate data in the request. That is, the token 200may use the public key associated with the Internet identity to decryptor verify the signature of a portion of the request signed with theprivate key associated with the Internet identity.

At block 412, the token 200 may determine if the requesting Internetidentity has access rights to the file identified in the request, e.g.file 314.

At block 414, the token 200 may the confirm that requestor hasestablished its Internet identity and has access rights to the file 314.If so, the ‘yes’ branch may be taken to block 416 and access may beallowed. If the file 314 was encrypted for storage at block 404, thefile 314 may be decrypted. At block 418, if required by the accessrights for the file 314 or by policy, the file 314 may be encrypted withthe private key of associated with the Internet identity 306. This willhelp ensure privacy of the file 314.

If, at block 414, either the Internet identity of the requestor cannotbe confirmed, or the requestor does not have rights to the file 314, the‘no’ branch may be followed to block 420 and access to the file 314 maybe denied. It may be a matter of policy whether to respond to arequestor whose request is denied, and if allowed, what error messagemay be returned.

The use of an Internet identity to set and confirm file access rightsallows uniform file access policies to be established across differentoperating systems and networks. Because file access is not a function oflocal policy or rules. Even files on a portable token can be uniformlyprotected since encrypted contents can only be accessed by predeterminedInternet identities. This remains true even if the token is lost orstolen.

The use of cookies with Internet identity information and expirationinformation allows access to confirmed entities even if networkconnections are limited or not available.

Although the foregoing text sets forth a detailed description ofnumerous different embodiments of the invention, it should be understoodthat the scope of the invention is defined by the words of the claimsset forth at the end of this patent. The detailed description is to beconstrued as exemplary only and does not describe every possiblyembodiment of the invention because describing every possible embodimentwould be impractical, if not impossible. Numerous alternativeembodiments could be implemented, using either current technology ortechnology developed after the filing date of this patent, which wouldstill fall within the scope of the claims defining the invention.

Thus, many modifications and variations may be made in the techniquesand structures described and illustrated herein without departing fromthe spirit and scope of the present invention. Accordingly, it should beunderstood that the methods and apparatus described herein areillustrative only and are not limiting upon the scope of the invention.

1-32. (canceled)
 33. A removable storage token supporting file accesscontrol, comprising: a processor; a secure memory storing private keysand executable code for use by the processor; a general-use memory; afirst bus coupling the processor, secure memory, and the general-usememory; a second bus for removably coupling the removable storage tokento a computing device; a storage management module executable by theprocessor for assigning access control rights to data stored in thegeneral-use memory; a communication module for execution by theprocessor for parsing a request for access to the general-use memoryinto a file identifier and a credential; and, a request moduleexecutable by the processor for determining when the credential includesa valid Internet identifier corresponding to an assigned access controlright.
 34. The removable storage token of claim 33, further comprising auser interface module for presenting a user interface on a host devicefor setting access control rights.
 35. The removable storage token ofclaim 33, wherein the communication module further supports accessing aweb service corresponding to the valid Internet identifier.
 36. Theremovable storage token of claim 33, wherein an Internet identityvalidation is stored in the secure memory and is released when anauthorized entity is validated at the removable storage token.
 37. Theremovable storage token of claim 33, further comprising a cryptographicengine for performing cryptographic operations.
 38. A method ofperforming file access control comprising: acquiring an Internetidentity at a third-party provider; accessing the Internet identity;setting an access right to the file using the Internet identity;requesting access to the file by supplying a request and a credentialverifying the Internet identity; determining if the credential matchesthe Internet identity; and providing access to the file when thecredential matches the Internet identity.
 39. The method of claim 38,further comprising: encrypting the file with a key associated with theInternet identity when storing the file.
 40. The method of claim 38,further comprising: encrypting the file with a key associated with theInternet identity when providing the file to a requestor.
 41. The methodof claim 38, wherein setting the access right comprises setting theaccess right to the file stored on a removable storage token.
 42. Amethod, comprising: receiving, from a requester, a request to accessdata, the request including an Internet identity and a dataidentification; sending a confirmation request to an Internet identityprovider; receiving a confirmation of identity that indicates whetherthe Internet identity is authorized to access the data; verifying, atleast in part on information from the confirmation of identity, that therequester is associated with the Internet identity; and, in an instancewhere the requester is associated with the internet identity, providingaccess to the data.
 43. The method of claim 42, wherein the providingaccess comprises encrypting the data with a public key of the Internetidentity and providing access to the encrypted data.
 44. A system,comprising: a processor; a secure memory storing private keys andexecutable code for use by the processor; a general-use memory; astorage management module executable by the processor and configured toassign access control rights to data stored in the general-use memory; acommunication module executable by the processor and configured to parsea request for access to the general-use memory into an identifier and acredential; and, a request module executable by the processor andconfigured to determine when the credential includes a valid Internetidentifier corresponding to an assigned access control right.
 45. Thesystem of claim 44, embodied as a smart card, a cellular telephone, asmart phone, a personal digital assistant, a media player, a networkedterminal device, a server, or a portable device.